Skip to content

Exposing Hydra to the internet and using reverse proxies

Jump to bottom
theotherp edited this page Jan 21, 2018 · 17 revisions

If you want your Hydra instance to be accessible from other computers I strongly recommend putting it behind a basic auth protected reverse proxy (e.g. Apache or nginx).

Make sure to include all the important headers (x-forwarded-to, x-forwarded-proto and host or x-forwarded-host). Also X-Forwarded-For to get the actual IPs of callers and x-forwarded-port if the port is not 80 or 443

Apache

<VirtualHost *:443>
	#If you use a different port make sure to include it in the X-Forwarded-Host header or set X-Forwarded-Port
	ServerName localhost
	SSLProxyEngine On
	SSLProxyCheckPeerCN off
	SSLProxyCheckPeerExpire off
	SSLEngine on
	SSLCertificateFile /etc/conf/nzbhydra.crt
	SSLCertificateKeyFile /etc/conf/nzbhydra.key
	SSLProtocol all -SSLv2 -SSLv3
	SSLHonorCipherOrder On
	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

	ProxyRequests off
	ProxyPreserveHost On
	RequestHeader set X-Forwarded-Proto https
	#Make sure to load module remoteip
	RemoteIPHeader X-Forwarded-For
	RemoteIPHeader X-Real-IP
	#Add missing trailing slash because otherwise you will get a 404 when calling without it
	RewriteEngine on
	RewriteRule ^/nzbhydra2$ /nzbhydra2/ [R] 

	ProxyPass /nzbhydra2/ http://127.0.0.1:5076/nzbhydra2/
	ProxyPassReverse /nzbhydra2/ http://127.0.0.1:5076/nzbhydra2/
</VirtualHost>

nginx

server {
	listen       443;
	#If you use a different port make sure to include it in the X-Forwarded-Host header or set X-Forwarded-Port
	server_name  192.168.1.111;
	ssl on;
	ssl_certificate      nzbhydra.crt;
	ssl_certificate_key  nzbhydra.key;

	location /nzbhydra2 {
		proxy_pass http://127.0.0.1:5076/nzbhydra2/;
		proxy_set_header        X-Real-IP			$remote_addr;
		proxy_set_header        Host				$host;
		proxy_set_header        Scheme				$scheme;
		proxy_set_header        X-Forwarded-For		$proxy_add_x_forwarded_for;
		proxy_set_header        X-Forwarded-Proto	$scheme;
		proxy_set_header        X-Forwarded-Host	$host;
		proxy_redirect off;
	}
}

Caddy

localhost:2015
tls self_signed # Probably Let's encrypt but that's not the focus here
proxy /nzbhydra2 127.0.0.1:5076/ {
	transparent
	header_upstream X-Forwarded-Host {host}
}
rewrite / {
	#Rewrite URLs without trailing slash
	regexp ^/nzbhydra2$ 
	to /nzbhydra2/
}

In the main settings set your "URL base" to "/nzbhydra2" if you used a path in the reverse proxy. Leave it empty if you don't (for example "ProxyPass / http://127.0.0.1:5076/", which is unusual).

If you have selected to add NZBs to downloaders by sending links make sure that you call Hydra using an address that is reachable by the downloader.

Clone this wiki locally